ASA 5520 NAT ICMP replies Private and not Public

I have an ASA 5520 along with a Cisco 3745 Router. Here is the problem. I have two separate external networks coming into the ASA 10.10.11.0/24 10.10.12.0/24 and one internal network 172.16.100.0/24. you can see from the config of what I have. I have two Static Policy NAT Entries pointing 10.10.11.20 --> 172.16.100.20 and 10.10.12.25 --> 172.16.100.25.
I also have four access rules that allow for ICMP and Telnet. I can telnet to 10.10.11.20 and it opens the telnet session to 172.16.100.20 and I can also telnet to 10.10.12.25 which also works just fine. The pings however will not work unless I create a nat rule that sends the traffic out the main GIG0/0 interface. I would liike to be able to pint 10.10.11.20 and get a reply from 10.10.11.20 and not 10.10.10.20 or the internal IP 172.16.100.20. I hope this makes sense...

I would consider redesigning the solution to accomplish what you're trying to do. Have 1 Outside interface to connect to the ISP router. Have the ISP set a static route for the non-BGP subnet and point

That is likely the source of the problem. TCP, the protocol used for telnet is session based, thus the server is able to reply out the interface the traffic came in on and use the default gateway for that interface. But for non-session based protocols like ICMP or UDP using a single server with 2 interfaces and 2 default gateways will not work in that fashion. The server is unable to reply out the interface that the traffic came in on, thus ping appears not to work.

Is this a testing configuration or the end configuration? If its the testing configuration then use 2 separate servers to test the environment. If it's the end configuration the only solution I can think of would be to PAT all internet traffic to the 2 inside interfaces.

Here is a question around this then. since I added Nat statements for anything internal to external interface my ICMP replies work but I am getting replies from my internal Address not the public IP. Is there anyway that these can be converted to proper public IP's. when I ping 10.10.12.25 i get replies from 172.16.100.25.

Again this is happening because the server can't send the traffic out the correct interface when you use ICMP. So your seeing asymmetric routing. You send inbound traffic in to 10.10.12.25, but the replies come back out 172.16.100.25. Because you have 1 server with 2 default routes, one of those routes gets used for ICMP replies. So the traffic will appear to always come from that IP no matter which interface you ping.

Actually the server has a single route back to the ASA. the IP address is just a secondary IP on the same network card. they are all part of a single network range so default gateway is the same. 172.16.100.0/24 with gateway of 172.16.100.5.

So the server has 1 NIC with 2 IPs on it, primary being 172.16.100.25, and the additional being 10.10.12.25? If so then again the issue is the same. The ICMP replies will use the default gateway and thus be seen as coming "from" the primary IP of the server. Is this a Windows 2008 server? If so then you should be aware there are other issues that can arise from having 2 IPs on the same NIC on the same server. Here's some articles to review if using windows:

Also, are you testing this through an Internet connection from a completely different subnet then one of the ones that you have on the firewall? If so then it would not likely work. The ASA can not use 2 default gateways at the same time. One will be used unless that interface is down and then the other will be used. So you will not be able to connect this firewall to 2 Internet connections and access the external IPs from the Internet through 2 separate ISPs.

Private IP's are 172.16.100.20 and 172.16.100.25
ASA Interface GIG 0/1 10.10.10.0/x Gateway 10.10.10.1 Metric1
ASA Sub interface VLAN200 GIG 0/1.1 10.10.11.20/24 --> 172.16.100.20
ASA Sub interface VLAN300 GIG 0/1.2 10.10.12.25/24 --> 172.16.100.25
The end game is that I have one ISP that is handing me two separate network schemes. One is using BGP and the other is not using any BGP.

I would consider redesigning the solution to accomplish what you're trying to do. Have 1 Outside interface to connect to the ISP router. Have the ISP set a static route for the non-BGP subnet and point it directly to your firewall IP address.

Have 2 IP addresses on the server, setup static NATing for each IP address. One into the BGP IP block and one in to the non-BGP IP block.

Doing it this way keeps the ASA from having to have 2 default gateways and be connected via 2 interfaces to the Internet.

SSL is a very common protocol used these days when browsing the web. The purpose is to provide security to communication, but how does it do it? There are several pieces at work that have to be setup before SSL will even work and it requires both …

Tired of waiting for your show or movie to load? Are buffering issues a constant problem with your internet connection? Check this article out to see if these simple adjustments are the solution for you.

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…